[csw-maintainers] Fwd: [findutils 0004769]: Current stable release is vulnerable to CVE-2007-2452

Philip Brown phil at bolthole.com
Sun May 15 22:01:20 CEST 2011


On Sun, May 15, 2011 at 11:51 AM, Peter Bonivart <bonivart at opencsw.org> wrote:
> On Sun, May 15, 2011 at 8:24 PM, Ben Walton <bwalton at opencsw.org> wrote:
>>
>> Does anyone have stable installs kicking around still?  Want to roll
>> an updated findutils for it?
>
> Before someone spends time on this maybe we should find out how to
> actually update a package in stable?

there is the technical "how to update the catalog", and there is
policy on "what kind of updates are allowed to packages in stable".
See below.

> About 18 months ago I updated BIND for security reasons, I even
> packaged it the same way but it never got released. It was a waste of
> time for me and the users of stable never got the secure version.

It was rejected for one of two reasons (I dont remember which).
either
a) you did not verify you had tested it, or
b) you went too far in your updates. you did not merely patch the
security hole, but changed the package.


To restate that in terms of "what kind of updates are allowed to
packages in stable?":

stable package updates should only be done at critical need (ie:
crucial security flaw), and they should involve only minimal change to
the package. Ideally, just patching the security hole, and a
recompile. No version changes, etc.

Anything beyond that, and it is no longer "stable".

The actual adding of a package into stable, is trivial.


More information about the maintainers mailing list